What’s the Deal with Identity Theft? Free Chapter Included!

Robert Ryerson entered the financial industry in 1984 when he went through training to be a “stockbroker”, as they were then called, for Shearson Lehman American Express in the World Trade Center in NYC. He broadened his efforts in the field by becoming a Certified Financial Planner (CFP) in 1991. More recently, he became concerned about the epidemic of identity theft, and became a Certified Identity Theft Risk Management Specialist (CITRMS). Last year he published the book “What’s the Deal With Identity Theft-A plain English Look at Our Fastest Growing Crime,” which is available as an e-book and paperback on Amazon. In this blog post, Ryerson gives vpnMentor readers a sneak preview to the eleventh chapter of the book, which talks about some emerging trends in the fight against identity theft. So grab your cup of coffee and let's get to it. Share

What new knowledge did you gain whilst writing the book?

About 5-6 years ago I became interested in the subject of identity theft because it was in the news so frequently, and appeared to be morphing well beyond just a threat to a credit card or bank account. I did a lot of research and discovered that the true scope of the problem was much larger and more complex than most people imagined, and that there were many misconceptions still prevalent in the public arena regarding identity theft. I learned that there were actually 6 major types of ID theft, and that “prevention” was no longer realistic, as we all have too much of our personal information out in the cloud and generally out of our control. I also learned about the ability of the cyber thieves to adapt to, and stay ahead of, “improvements” in security measures. I cover all of this in the book, and discuss the loss of privacy that accompanies such things as implanted RFID chips and facial recognition software. Pretty alarming stuff. I have attached the chapter that deals with these newer biometric issues for you.

Below is the 11th chapter of What’s the Deal With Identity Theft

Chapter 11

A LOOK DOWN THE ROAD

(The emerging biometric identity trend)

How we even think about identification is changing rapidly. From the standard old “Can I see your driver’s license, please,” we are heading rapidly into an era in which various types of biometric identification techniques will become commonplace and required. Identification by DNA sample, iris scans, electrical signals, and even personal smell has changed the way we think about identities.[1] According to Kensho Technologies founder and blogger Daniel Nadler’s “At the digital edge”, although DNA is by far the most successful means of identifying anyone, its applications are limited by cost and privacy issues in the commercial arena.[2]

India, for example, is building the biggest biometric database in the world through its Aadhaar System, which is a rough equivalent of the US Social Security numbering system, with the key difference that the numbers are only issued after an iris scan, fingerprints, and facial scans are provided.[3]

Experiments at the University of California, Irvine, have a goal to make transactions relying on PINs and passwords more secure, by checking the PIN against the signature of electricity in someone’s system.[4]

Some emerging trends in the fight against identity theft

Your Smartphone Will Replace Your Wallet

According to Visa, Americans are now twice as likely to carry a mobile phone as they are cash. And for those Americans in the 18-34 age range, four times as likely. If your driver’s license image on your smartphone will suffice at traffic stops or at the TSA line or the gate before boarding a plane, why wouldn’t your gym accept your membership card on your smartphone? Your Library card? Insurance Card? Vehicle Registrations? Other important documents?

While there will be security challenges to be overcome, and the inevitable uptake time for the general public to accept the new way of doing these things, I would suggest avoiding investments in wallet makers until further notice. Today, if you leave your wallet at home, you may be looking at a mess of a day, but in the future, digital identification documents may be accepted all over, and render your wallet obsolete – or at least a lot thinner. Of course, having your good old plastic driver’s license, or medical cards, etc. in your purse or back pocket may still be advisable in a wallet for now, as your cellphone can still run out of power, or get lost or be stolen. Also, it is still more of an effort to create a physical fake ID than to Photoshop one, and display it on a smartphone.[5]

Security concerns for smartphones….calling SIRI…from a distance!

In a worrisome report in October of 2015, Wired.com explained that Siri

( “Speech Interpretation and Recognition Interface), the natural language user interface on Apple iPhones, iPads, iWatches, etc. that acts as an intelligent personal assistant, could be obeying the orders of not just you, but hackers who talk to her, including a hacker who may be transmitting silent commands via radio from as far as 16 feet away! Researchers in France discovered that without speaking a word, the hackers could use a radio attack to tell Siri ( or Google Now) to make calls, send texts, dial the hacker’s number ( to turn the phone into an eavesdropping device), or to send spam and phishing messages via Twitter, Facebook, or email.[6] The director of the research group, Vincent Struble, explained the potential critical security impacts by stating “The sky is the limit here. Everything you can do through the voice interface you can do remotely and discreetly through electromagnetic waves.”[7]

Similarly, a fall of 2015 study from the University of Cambridge found that 87% of Android devices were insecure, and were exposed to at least one of eleven critical vulnerabilities.[8]

Social Media and Social Website Problems

With the explosive growth of social media came various concerns about breaches and security flaws. In the summer of 2015, a bug discovered in the WhatsApp web extension put 200 million users at risk of hackers being able to take control of the WhatsApp users’ computers with just their phone number. Security firm Check Point claimed to have discovered a vulnerability that allowed hackers to distribute malware, including ransomware, to the compromised computers.[9]

In late February and early March of 2014, eBay suffered a massive security breach in which hackers gained access to information including eBay customers’ names, addresses, emails, dates of birth, and phone numbers. More troubling was the fact that the database was compromised in late February, but not detected until early May. EBay urged all of its 145 million users with an active account to “immediately” update their passwords.[10] The eBay news came shortly after an encryption flaw called the Heartbleed Bug affected many popular websites and services such as Gmail and Facebook. The Heartbleed Bug quietly exposed sensitive account information, such as passwords and credit card numbers, and was widely undetected for over two years.[11] Surprisingly, following the Heartbleed bug news, a survey conducted by Software Advice revealed that 67% of users did not update their passwords. Whether that is due to people being “too busy” these days, or just the regular inertia and procrastination that so many of us succumb to, it helps to make the case for handing off the responsibility and potential heavy lifting involved in a recovery to a capable third party.

In the winter of 2013, Twitter announced that 250,000 accounts had been hacked in a security breach.[12] An earlier Twitter security breach in 2009 had targeted information from Twitter employees, and allowed the hacker to gain access to several Google Apps that Twitter relied on for sharing notes, spreadsheets, ideas, and financial details about the company.[13]

Today, more and more of our personal information and identity-confirming data is out of our control. It is out in the cloud and in various databases ( our doctors’ records, insurance providers, schools, employers, social media sites, frequent online shopping sites, etc.), and we cannot only not control or monitor it all, but we most often cannot find out about a breach occurring until well after the fact. As we have seen, in the past few years, most of the larger social media players have also suffered breaches of one degree or another. The CREDIT.COM article goes on to state that cybercrimes and identity related scams are changing “faster than trending hashtags on Twitter”, and that none of us know what will happen next.[14] Over the past few years there were many high profile incidents in which social media or nationwide retailers were hacked, even as the number of users continued to grow.

For example, Apple responded to the very high profile celebrity breach in the summer of 2014, in which several celebrities had nude photos released without their knowledge or permission, by strengthening their iCloud security. They expanded the use of “two-step verification” under which the account holder was required to enter a four digit code in addition to their user name and password. The code was either texted to a trusted mobile phone number, or sent via the Find My Phone app, and if that code was not entered, the user was refused access to iCloud, and could not make iTunes, iBooks, or App Store purchases. If the accountholder had kept a 14-character recovery key safe somewhere else, they could use that recovery key to regain access in the event their device was lost or stolen.

“ We’ve seen so much in recent times that a single-step verification-i.e., passwords-is vulnerable, ….so two-factor authentication should be the default” said Prof Alan Woodward, from the University of Surrey, England, at the time.[15] For its part, Apple’s CEO Tim Cook told the Wall Street Journal that it “plans to more aggressively encourage people to use two-factor authentication and stronger passwords.” Cook added, “When I step back from this terrible scenario….I think about the awareness piece. I think we have a responsibility to ratchet that up. That’s really not an engineering thing.”[16] The two factor authentication effort quickly morphed into the more secure and convenient NFC oriented ApplePay ( and SamsungPay, and AndroidPay), which is a contact payment technology that pulls your credit cards, debit cards, and other sensitive payment data from your Wallet app, enabling you to use the phone in lieu of a wallet or purse when shopping.[17] ApplePay became widespread in the US in 2015, and in the UK, Canada, and Australia as of early 2016, with plans to expand its use worldwide.

Facebook too has faced criticism, and made “adjustments” several times over the past several years relating to lax privacy policies, in which user’s information, including their age, photos, residence, and even occupation was easily obtainable by anyone using the Facebook ID number and a standard web browser, even if that person had set all their Facebook information to be private.[18] In another example of Facebook’s continual privacy breach problems, the company admitted, in June of 2013, to an “inadvertent” year-long data breach which exposed 6 million users’ phone numbers and email addresses to “unauthorized viewers.” Blaming the leaks on a technical glitch which they quickly fixed, Facebook said that they had seen no evidence that the bug had been exploited maliciously, and that they had not received complaints from users about anomalous behavior on the tool or site. “It’s still something we’re upset and embarrassed by, and we will work doubly hard to make sure nothing like this happens again” the company added.[19] They did not succeed. The next summer, they were back in the news with their controversial push to have everyone install The Facebook “messenger app” on their smartphones, which was faster and gave users broader links and capabilities , but which also asked users for “permission”, in the fine print, to access their contacts, location at all times, text messages, camera, and microphone, and more.[20]

Needless to say, many people saw no reason for Facebook to tell all their friends where they were all the time by using the phones GPS, or to have the ability to read and edit text messages and take pictures and record audio. Not knowing what Facebook was going to do with access to all of their contacts, along with their other new requests for powers and access, led many users to say no thanks, or to be wary and uncomfortable as they did agree to download the new app. In an environment in which privacy breaches were almost daily news, and given their own prior track record on that front, it was understandable that people got upset, and were mistrustful, even if Facebook’s intentions were innocent. Facebook’s privacy shortcomings spilled over into 2105, as some European countries claimed they were violating consumer protection laws. A report from the University of Leuven in Belgium pointed out that “there is no way to stop Facebook from collecting location information on users via its smartphone app other than to stop location access on the smartphone at the level of the mobile operating system.”[21]

Into a dystopian future…..George Orwell and Philip K. Dick would be smiling…

Don’t Talk! Just watch!

Samsung recently created quite a stir by warning customers not to discuss personal information in front of their new Samsung Smart TV. The warning applied to people who controlled their Smart Television using its voice activated feature. When the feature was active, Samsung explained, the TV set listened to what was said, and shared it with Samsung and third parties. This information was discovered in a privacy notice Samsung included with the purchase of all of their Smart TVs, which stated “If your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.”[22] “We are NOT having your parents here next week!” “I’m pregnant and it’s not yours” and other such outbursts come to mind!

The third party handling the translation from speech to text was a firm called Nuance, which is based near Boston, and which specializes in voice recognition, Samsung told the BBC.[23] As long as all the people with access to the translated info are not identity thieves, it may only be an amusement for them….

The Facial Recognition Trend

In another example of our march toward impressive but alarming technology, the February 2016 edition of Consumer Reports had a story entitled “Facial Recognition: Who’s Tracking You in Public?” The article explained that facial recognition “faceprints” are created as you walk into a store in a shopping mall, for example, by security cameras that feed the video they are constantly shooting to computers that pick out every face in the crowd and rapidly take many measurements of each one’s features, using algorithms to encode the data in strings of numbers. When or if a match is found, the system alerts salespeople, who can now greet you by name, or security guards, who can now watch you in the aisles so you don’t shoplift again.[24]

Facial recognition software and systems are being used in many public venues—malls, casinos, train stations, airports, stadiums, even churches. It has the potential, obviously, to remove the anonymity of the crowd that we all currently take for granted. For many people, it is refreshing or even comforting to “get lost in the crowd” and enjoy their time walking through a public space where no one knows their name or will bother them for anything.[25]

Facial recognition is more firmly established online, according to Consumer Reports, than in the physical world. Facebook, in fact, published a paper in 2014 on a project it called DeepFace, which it claims is over 97% accurate in comparing two photos and deciding whether they depicted the same person. The company’s algorithms are now almost as adept as we are at recognizing someone just based on their silhouette, or the way they stand or walk.[26]

In the seemingly endless saga of Facebook’s overstepping of privacy, Kelly Gates, an associate professor in communication and science studies at the University of California, San Diego, points out that” people have voluntarily uploaded millions of images, but for their own personal photo-sharing activities, not for Facebook to develop its facial recognition algorithms on a mass scale.”[27] Gates is the author of “Our Biometric Future: Facial Recognition Technology and the Culture of Surveillance”, and is among the privacy experts who feel that the harnessing and tagging of millions of photos uploaded by its 1.5 billion users by Facebook is a misuse of personal data. The article goes on to state that there is no ready solution if someone steals your faceprint or other biometric files, like there is for a compromised PIN or driver’s license, etc. Consumer Reports finishes by saying that there are currently no consumer protections at all on the facial recognition front, and that we all should have the right to know who has a copy of our faceprint, or our child’s faceprint, and who it is being shares with.[28]

Getting Under Your Skin?

In early 2015, the Daily Mail Online and other news outlets reported that the Epicenter hi-tech office building in Stockholm, Sweden implanted microchips in its staff, in the back of their hands. The chips are about the size of a grain of rice, and use radio-frequency identification (RFID). These microchips allow these volunteer users to open security doors in the building, operate the photocopiers, and even pay for lunch in the cafeteria. The company hopes that eventually all of its roughly 700 employees will voluntarily have the chips implanted under their skin.[29]

The newspaper also reported that RFID chips can already be found in the Oyster System of contactless cards that more than 10 million people use to pay for public transportation in London.[30] A spokesman for a Swedish bio-hacking group, BioNyfiken, which implanted the chips into the Epicenter building workers who volunteered said, “Today it’s a bit messy – we need pin codes and passwords. Wouldn’t it be easier to just touch things with your hands?” He added, “We want to be able to understand the technology before big corporations and big government come to us (the public) and say everyone (needs to) get chipped – the tax authority chip, the google chip or the Facebook chip.”[31]

While many people will embrace the next step in the move toward a cashless and contactless (no swiping of a card, etc.) society, many other people are uncomfortable with the whole idea. In 2005, influential consumer advocate, Katherine Albrecht, co-authored a book with Liz McIntyre about the advent of the RFID chips called “Spychips: How Major Corporations and Government Plan to Track your Every Move with RFID.” In it, the authors warn that these RFID chips, which are already becoming a part of passports and various payment cards, bear an uncanny resemblance to “the mark” described in the Bible’s Book of Revelation – especially the subcutaneous version implanted in peoples’ hands.[32]

Because RFID chips contain unique identification codes, if the time does come that the public is compelled to have these micro-chips implanted, or overcome its natural reluctance to adopt new technological changes, identity theft risks as we know them today may become moot-there may be no more identity theft possible.

In the meantime,….

The End of the Swipe and Sign Credit Card is Here

(And a sharp decline in credit card fraud with it)

A huge shift in the way you use your credit card arrived recently, and it was long overdue. The US was the last of the G20 nations to still use the old fashioned swipe and sign system, and it accounted for the fact that America suffered almost half of the world’s credit card fraud despite processing only about a quarter of all credit card transactions.[33]

An NFC ( near field communication) chip in your new credit or debit card acts as a tiny radio transmitter, and is activated when it receives a signal from another NFC-enabled device, such as the payment register in the department store, or any other point of service terminal with near field communication. The NFC chips act as authenticators for the transaction, and helped replace the plastic cards you carried in your wallet in early 2015, by early 2016.

Instead of swiping and signing, the US will join the rest of the world in the chip and pin process, in which you, or more likely the vendor, will insert your card into a slot, and confirm that the machine is reading your card’s chip by entering a pin number, or by signing the receipt ( chip and sign, which is the preferred method here in America). While people can still use their swipe and sign’s for a while, and not all merchants invested in the required new equipment on a timely basis, the ultimate goal is to drive more and more fraud out of the system.[34] Regardless of the timing of chip and pin replacing the magnetic stripes and signatures for verification, security experts agree that the new EMV ( for Europay Mastercard Visa, the inventors of the new system) chip cards will be more secure than the old magnetic stripe cards were.

There are two types of EMV transactions that consumers can use-contact transactions and contactless transactions. Both options allow for greater security by insisting on a “handshake”, or active permission, if you will, from both the terminal and the initiating device ( a card or smartphone), as explained by Fred Badlissi, a writer and editor for Intuit.[35] The newer cards will still have a magstripe on the back for a while to ensure continued acceptance at locations that have not yet migrated over to the new terminals and system. The data stored on the magnetic strip is unprotected and never changes, so the move to the more secure chip and sign EMV cards, which mark each transaction with its own unique dynamic data authentication key (DDA), is only natural, and will save lots of money and headaches for the vendors.

As we saw with a credit freeze, however, the new EMV cards will not stop the creation of new fraudulent cards or accounts-they will only protect your existing cards and accounts.

Beyond plastic cards…

IBM proudly announced in the fall of 2013 that they had brought “dual-factor authentication” to mobile phone transactions, by using wireless near-field communications links to allow people to simply bump or tap their smartphones against their NFC-enabled bank card ( credit or debit card) for quick confirmation, after entering their password on the bank card app they previously installed. Instead of many complicated steps, this was a fast way to get yourself and your transaction authenticated. The efforts and drive toward two factor authentication using tokenization for card and phone security quickly gave way to biometric tools, such a voice recognition and fingerprint scanners built into smartphones.[36]

Apple finally announced at its September 9, 2014 product launch in Cupertino, Calif., that it was joining the ranks of companies, such as Google, that had tried with lackluster success to get consumers to buy things with their phones, by introducing its own mobile payment offering.[37] Apple made it clear they wanted to turn your iPhone 6 and Apple Watch into a virtual wallet that could eventually replace the old plastic card sitting in your real wallet.

After years of speculation, the company was finally including the short-range wireless technology known as near field communications or NFC into its latest smartphone, the iPhone 6 and the bigger iPhone 6 Plus. It also announced a new digital wallet called ApplePay, which could be accessed securely using its fingerprint Touch ID technology introduced in the iPhone 5S. [38]

Apple’s new Apple Watch would also be equipped with NFC, which would enable older generations of the iPhone, specifically the iPhone 5, iPhone 5s and iPhone 5c to work with Apple Pay. Apple also announced that day that it was partnering with Visa, Mastercard, and American Express along with several of the larger card issuing banks to allow iPhone users to store their credit card accounts. Apple Pay would be available in 220,000 US merchant locations that already take mobile payments via the NFC’s short range, secure wireless capabilities.

Apple also worked with other retailers, including Macy’s, Walgreens, Duane Reade, Staples, Subway, McDonald’s, Disney, and Whole Foods, among others to bring Apple Pay to physical store locations. At McDonald’s it was even adding Apple Pay to the drive-through, Eddy Cue, senior vice president of Internet software and services, said during the presentation.[39] Disney was expected to have all of its retail locations outfitted with Apple Pay by Christmas of ‘14. Apple’s mobile-payment system would also work with federal payment cards, including Social Security and veterans benefits that were paid through debit card.

Apple CEO Tim Cook said during the September 9, 2014 presentation that Apple’s vision is to replace a wallet, and more specifically to replace antiquated, plastic credit cards. Cook noted that there are more than 200 million credit card and debit card transactions processed per day in the U.S. with consumers spending more than $12 billion every day between credit cards and debit cards.[40]

The way Apple Pay works is that users are able to simply tap their devices outfitted with a small NFC chip, which stores its payment credentials, on a payment terminal in the checkout aisle at a rapidly growing number of different merchants. This allows the store to access the customer’s credit card payment credentials so the credit card account can be charged.

When iPhone 6, iPhone 6 Plus and Apple Watch users make a payment, these credit card accounts will be charged, just as a credit card account is charged when someone makes a purchase in Apple’s iTunes music store. Following an already emerging trend in the payments industry, Apple was using what’s known as tokenization technology to add another level of security to the transaction. The benefit of using tokens is that even if they are intercepted by a fraudster, they are rendered useless in the next transaction, because they are constantly changing.

The NFC-oriented ApplePay , and SamsungPay, and AndroidPay are a contactless payment technology that pulls your credit cards, debit cards, and other sensitive payment data from the Wallet app, enabling you to use the phone in lieu of a wallet or purse when shopping.[41] ApplePay became widespread in the US in 2015, and in the UK, Canada, and Australia as of early 2016, with plans to expand its use worldwide.

The End of Pesky Passwords and Pin Codes?

Apple essentially declared war on passwords and weak security with the introduction in 2014 of ApplePay and its fingerprint reader to the iphone 5S and later models. The “TouchID” fingerprint scanner is used to access the device and can be used for app purchases, but the fingerprint data was stored on the device, and was not backed up to the cloud.[42] In March of 2015, Samsung and Google released their versions of fingerprint-based systems called SamsungPay and AndroidPay respectively.

These systems allow people to store debit and credit cards in a de facto electronic wallet, with no need for memorizing pin codes or passwords. “The operative personal and credit data is stored on a secured chip by using cryptography, and personal biometric data is not exchanged externally,” explained Jean-Noel Georges, global director of the digital identification program at research company Frost and Sullivan, in an June 2015 article from Bankrate.com.[43] These smartphone company moves help all retailers, in terms of costs, speed, and security, including leading online processors such as PayPal. PayPal’s chief Information Security Officer Michael Barrett pointed out that “most users pick poor passwords and reuse them everywhere.” “That has the effect of reducing the security of the most secure account to the security of the least secure place they visit on the internet.”[44]

The NFC chip-enabled smartphones will also allow bank apps to dispense cash for you at ATM machines without you needing to insert a plastic card. The “cardless” transaction will take about ten seconds, which will allow you to reduce your physical time spent at the ATM itself, and eliminate skimming, in which criminals try to steal the data on a card by inserting devices into the ATM card slot. ATM manufacturer Diebold was testing a “headless” teller machine, without a screen or keypad, which will dispense cash for the consumer after they verify their identity through a fingerprint reader, or perhaps an iris scanner built into the ATM, as of the spring of 2016.[45]

Ditsa Keren is a web content specialist, providing top quality, SEO-oriented writing and translation services, to bring your readers the quality they deserve and make your website shine on the top of Google's charts!
In recent years, Ditsa has been developing WordPress websites for businesses large and small, all with SEO guidelines in mind right from the start, providing clients with an optimum starting point for building their online presence.